22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK

Slides:



Advertisements
Similar presentations
MyProxy Jim Basney Senior Research Scientist NCSA
Advertisements

Andrew McNab - Manchester HEP - 15 February 2002 Testbed Release in the UK EDG Testbed 1 GridPP sources of information GridPP VO GIIS and Resource Broker.
24-May-01D.P.Kelsey, GridPP WG E: Security1 GridPP Work Group E Security Development David Kelsey CLRC/RAL, UK
WP2: Data Management Gavin McCance University of Glasgow November 5, 2001.
DataGrid is a project funded by the European Union CHEP 2003 – March 2003 – Grid-based access control – n° 1 Grid-based access control for Unix environments,
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
Partner Logo UK GridPP Testbed Rollout John Gordon GridPP 3rd Collaboration Meeting Cambridge 15th February 2002.
18 April 2002 e-Science Architectural Roadmap Open Meeting 1 Support for the UK e-Science Roadmap David Boyd UK Grid Support Centre CLRC e-Science Centre.
VO Support and directions in OMII-UK Steven Newhouse, Director.
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
Bob Jones – Project Architecture - 1 March n° 1 Information & Monitoring Services Antony Wilson WP3, RAL
Author - Title- Date - n° 1 Partner Logo Authentication John Gordon GridPP 2 nd May 2002.
John Kewley CCLRC Daresbury Laboratory NW-GRID Training Event 25 th January 2007 Accessing the NW-GRID (from Linux) John Kewley Grid Technology Group E-Science.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Andrew McNab - Manchester HEP - 31 January 2002 Testbed Release in the UK Integration Team UK deployment TB1 Job Lifecycle VO: Authorisation VO: GIIS and.
Andrew McNab - Manchester HEP - 22 April 2002 EU DataGrid Testbed EU DataGrid Software releases Testbed 1 Job Lifecycle Authorisation at your site More.
Grid Application Builders Teach In31/01/02Antony Wilson Information & Monitoring Services WP3.
11-Dec-01D.P.Kelsey, Authentication1 Authentication 11 Dec 2001 David Kelsey CLRC/RAL, UK
DOE’s PKI service for Grids Tony J. Genovese Malaga, Spain November 2003.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
Andrew McNab - Manchester HEP - 29/30 March 2001 gridmapdir patch Overview of the problem Constraints from local systems Outline of how it works How to.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
5-Sep-02D.P.Kelsey, Security Summary, Budapest1 WP6/7 Security Summary Budapest 5 Sep 2002 David Kelsey CLRC/RAL, UK
Globus Toolkit 4 hands-on Gergely Sipos, Gábor Kecskeméti MTA SZTAKI
Andrew McNab - Manchester HEP - 6 November Old version of website was maintained from Unix command line => needed (gsi)ssh access.
30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK
/ David GroepSummary of Security Workshop - DataGRID WP4 workshop1 DataGrid Security WS Summary Targets: Identify requirements from WP's Define.
Security Mechanisms The European DataGrid Project Team
Andrew McNab - Manchester HEP - 26 June 2001 WG-H / Support status Packaging / RPM’s UK + EU DG CA’s central grid-users file grid “ping”
Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues
DataGrid WP6 CA meeting, CERN, 12 December 2002 IISAS Certification Authority Jan Astalos Department of Parallel and Distributed Computing Institute of.
9-May-02D.P.Kelsey, Security Plans, GridPP41 Security: Plans 9 May 2002 GridPP4 meeting, Manchester David Kelsey CLRC/RAL, UK
EU DataGrid (EDG) & GridPP Authorization and Access Control User VOMS C CA 2. certificate dn, ca, key 1. request 3. certificate 4. VOMS cred: VO, groups,
10-Jun-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) CERN, 10 June 2003 David Kelsey CCLRC/RAL, UK
8-Jul-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) RAL, 8 July 2003 David Kelsey CCLRC/RAL, UK
3-Nov-00D.P.Kelsey, HEPiX, JLAB1 Certificates for DataGRID David Kelsey CLRC/RAL, UK
10-May-01D.P.Kelsey, Security Workshop Summary1 DataGrid Security Workshop 29/30 March 2001 SUMMARY David Kelsey CLRC/RAL, UK
Security in DataGrid1 Security in DataGrid 12 Mar 2002 TERENA GRID-AN BoF David Groep NIKHEF, Amsterdam based on a presentation by David Kelsey.
BNL VO Management and Grid Mapfile Generation Brookhaven National Lab.
3-Jul-02D.P.Kelsey, Security1 Security meetings Report to EDG PTB 3 Jul 2002 David Kelsey CLRC/RAL, UK
Security Mechanisms The European DataGrid Project Team
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
CLRC and the European DataGrid Middleware Information and Monitoring Services The current information service is built on the hierarchical database OpenLDAP.
User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki.
23-Oct-02D.P.Kelsey, Grid Security, HEPiX, FNAL1 LCG/EDG Security - update and plans HEPiX/HEPNT - FNAL 23 Oct 2002 David Kelsey CLRC/RAL, UK
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna.
Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.
Security Policy Update David Kelsey UK HEP Sysman, RAL 1 Jul 2011.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
2-Sep-02D.P.Kelsey, WP6 CA, Budapest1 WP6 CA report Budapest 2 Sep 2002 David Kelsey CLRC/RAL, UK
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Last update 21/01/ :05 LCG 1Maria Dimou- cern-it-gd Current LCG User Registration, VO management and Authorisation Procedures VOMS workshop
11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan1 Certificates for DataGrid Testbed0 David Kelsey CLRC/RAL, UK
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Stephen Burke – Sysman meeting - 22/4/2002 Partner Logo The Testbed – A User View Stephen Burke, PPARC/RAL.
10-May-01D.P.Kelsey, WP6 Security1 Certificates/Authorisation for DataGrid Testbeds David Kelsey CLRC/RAL, UK
11-May-01D.P.Kelsey, Security Update1 GRID Security Update David Kelsey CLRC/RAL, UK
DataGrid Security Wrapup Linda Cornwall 4 th March 2004.
7-Mar-01D.P.Kelsey, User access, WP6, Amsterdam1 WP6: GRID mapfiles and Users access policy David Kelsey CLRC/RAL, UK
Security Mechanisms The European DataGrid Project Team
Classic Storage Element
EDG Configuration and Authentication
Update on EDG Security (VOMS)
The EU DataGrid Security Services
The EU DataGrid Security Services
The GENIUS Security Services
Presentation transcript:

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman1 Grid Security 22 Apr 2002 UK HEP Sysman Meeting David Kelsey CLRC/RAL, UK

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman2 Overview What is GSI? DataGrid TB1 Security Authentication Authorisation Firewalls Operational security procedures

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman3 What is GSI? Grid Security Infrastructure See recent Globus Developers Tutorial ev-04-Security1.ppt Selected slides from this presentationSelected

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman4 DataGrid TB1 Security See documentation on EDG WP6 web site – –Usage Rules –Users Guide –Installation Guide The various installation kits do much (most?) of the work for you

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman5 Authentication Certificates Trusted Certificate Authorities Converting certificate formats Certificate Revocation Lists

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman6 Certificates Need certificates for –UsersThey request their own with Registration confirmation –HostsFor the gatekeeper –Servicese.g. LDAP/MDS

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman7 Trusted Certificate Authorities List maintained by EDG WP6 CA group Procedures and policies compared with minimum requirements Matrix of trust being created Includes USA and CrossGrid CAs Each site has the final say –But default is to accept the EDG list

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman8 Converting cert formats 2 formats:PEM and PKCS12 Extensions:.pem and.p12 Install edg-utils package –Convert PEM to PKCS12 /opt/edg/bin/grid-mk-pkcs12 –Convert PKCS12 to PEM /opt/edg/bin/pkcs12-extract Or use openssl commands (see Installation )

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman9 Certificate Revocation lists CRL Each CA maintains a signed list of revoked certificates Must be current –If not all certificates from that CA are revoked GSI checks the local copy of the CRL Must copy regularly (every day?) edg-fetch-crlto update CRLs edg-crl-upgradeddaemon to regularly update

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman10 Authorisation Usage Rules –Users sign this and no other forms –Use browser with your EDG certificate Virtual Organisations –Users need to request to join mkgridmap –Tool to create the grid mapfile Pooled accounts (gridmapdir dynamic accounts) –

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman11 EDG Authorisation grid-mapfile generation o=testbed, dc=eu-datagrid, dc=org CN=Franz Elmer ou=People CN=John Smith mkgridmap grid-mapfile VO Directory Authorization Directory CN=Mario Rossi o=xyz, dc=eu-datagrid, dc=org CN=Franz ElmerCN=John Smith Authentication Certificate ou=Peopleou=Testbed1ou=??? local usersban list

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman12 Authorisation (contd) Today can only map one certificate to one account –If need multiple roles then need more than one cert More work is still needed on –Registration Authorities for VOs –Security of VO LDAP info

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman13 Firewalls – ports used PortService 80HTTP server for Network Monitoring 123Network Time Protocol 2119Globus Gatekeeper 2135MDS info port 2169FTree info port 2170Information Index 2171FTree info port 2811GSI ftp server 3147RFIO 7771Resource Broker 7846Logging & Bookkeeping 8080Tomcat Server (R-GMA, SpitFire) 8881Job Sub. Service (client) 9991Job Sub. Service (server

22-Apr-02D.P.Kelsey, Security, UKHEP Sysman14 Operational Security Each site must nominate a Security Contact –But is there a mail list yet? Incident discovery –We need some tools/procedures (EDG WP6?) Audit logs –Grid Mapping (Gatekeeper log) –Pooled accounts –Both in syslog

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.